Search form

Navigation

User menu

You are here

Perfect Forward Secrecy in Airlock

Submitted on 14. October 2013 - 10:58 by mbu.Last update on 27. May 2014 - 9:58.

Affects version(s):

4.2

5.0

Introduction

The revelations regarding NSA's PRISM program have changed the way we think about certain aspects of Internet security. For instance, PRISM collects not only unencrypted traffic but also mass amounts of encrypted SSL traffic. Encrypted traffic can be subjected to cryptoanalysis and, in case the corresponding secret key becomes available, decrypted months or even years later.

In a typical SSL handshake, the web server is first authenticated using a private key associated to the web server's certificate. In a second step, client and server exchange a session key used to encrypt the payload of the connection. The session key is only used temporarily and discarded after the session is closed. The problem is that today SSL/TLS often use RSA cipher suites that derive the session key from the private key. Consequently, the session keys could also be calculated in the future, in case the underlying private key became known.

With Perfect Forward Secrecy (PFS), session keys are not derived from private keys. Therefore, attackers cannot decrypt the traffic even if they get hold of the private key used in the session handshake. PFS is achieved by using the Diffie-Hellman key exchange protocol, which generates session keys based solely on random numbers.

Cipher suites that offer PFS are DHE (ephemeral Diffie-Hellman) as well as ECDHE (Elliptic curve DHE). ECDHE imposes less computational overhead during the handshake than DHE. Note that cipher suites with DH only (not ephemeral) do not provide PFS as the involved parameters are fixed and knowledge of these parameters allows reconstruction of the session keys.

Airlock 5

Airlock 5 supports both DHE and ECDHE. Using "Apache Expert Settings", cipher suites offered by virtual hosts can be freely configured in the Configuration Center. Please refer to this article for more information on the default cipher suites.

Airlock 4.2.6.3

Airlock 4.2.6.3 supports both DHE and ECDHE. Please refer to this article for more information on the default cipher suites.

Airlock 4.2.6.2 and earlier

Airlock 4.2.6.2 only supports DHE. By default, DHE is not enabled. Hotfix HF4218 updates the SSL ciphersuite configuration of Airlock: DHE ciphers are enabled and priority of RC4 is reduced.

In case you want to configure a custom ciphersuite for Airlock 4.2.x, please refer to this article for more information.